1、TABLEOF CONTENTSIntroduction.3The OnRisk Approach.4Top Risks,2022.5Key Observations.6Key Observations Explained.7 Notable variations in capability and relevance for certain risks.8 Significant gap in relevance and capability ratings on several risks.10 �����Risks to pay attention to going forward.11 Perc
2�������、eptions of risk relevance vary greatly across ESG components.14 Pandemic revealed opportunities to improve organizational risk management.16 Senior executives and boards desire broader scope for internal audit services.18Insights and Actions Board.20Insights and Actions C-suite.22Insights and Action
3、s CAEs.23Methodology.24How to Use This Report.25Risk Stag�������es Model.26The Risks.28 Cybersecurity.30 Talent Management.31 Organizational Governance.32 Data Privacy.33 Culture.35 Economic and Political Volatility.36 Change in Regulatory Environment.37 Supplier and Vendor Management.38 Disruptive Innovat
4、ion.39 Social Sustainability.40 Supply Chain Disruption.41 Environmental Sustainability.42www.theiia.org 03INTRODUCTION “How complicated and unpredictable the machinery of life real�������ly is.”Kurt VonnegutIn the 18 months since the COVID-19 pandemic first shuttered the world,organizations have learned t
5、o embrace the unexpected.Board members,C-suite executives,and chief audit executives the k�����ey players in risk management now know that low likelihood/high impact risks must be given greater consideration.This realization has jolted boards into greater awareness of risk management weaknesses,energized
6、 senior management to build more nimble and resilient organizations,and posi������tioned internal audit to deliver broader value.Indeed,the pandemic has spawned changes in how we see our trusted institutions,the value and priorities we place on our time,and our commitments to long-held socia�������l contracts ab
7、out work,diversity,and the health of the world around us.It is too early for definitive answers to which of these changes will be fleeting or perma�������nent.However,one thing is certain.This once-in-a-century test of core social,business,political,and economic beliefs will forge changes both subtl���e and p
8、rofound.While historic,the lingering pandemic and its related fallout is not the only factor likely to influence risk i�����n 2022.Growth in social upheaval,a significant shift in regulatory attitudes at the federal ������level,continuing economic and political volatility,continuing effects of climate change,a
9、nd the marked acceleration of environmental-,social-,and governance-related issues will combine to make the coming year one filled with unpredi����ctability and opportunity.“COVID-19 has been a wake-up call for organizations to create a plan for the unexpected.These Hollywood type risk scena������rios are now
10、 something that should be discussed to some extent within organizations.”C-suite,Technology“Risk today has become very volatile and random.You see these things occurring globally in the news and������ there seems to be less correlation between the cause and effect.”Board,RetailTHE ONRISK APPROACHThe OnRis
11、k approach is grounded in an innovative methodology that uniquely brings together the perspectives of the major stakeholders in organizational governance the board,executive manage������ment,and chief audit executives.Alignment of these stakeholders views on personal knowledge,organiz�������ational capability,an
12、d risk relevance is a significant step toward achieving strong risk management in support of effective governance.The methodology employs qualitative interviews of 30 board members,30 C-su����ite executives,and 30 CAEs from 90 different organizations.The research provides a robust look at risks facing o
13、rganizations and allows for both objective data analysis and subjective insights based on responses from risk management leaders.Collective ratings for each group are assigned a value based on the percentage of respondents who rate particular aspects of each risk at a 6 or 7 on a 7-point �����scale.For e
14、xample,if 7 in 10 board mem�����bers rated their organizations risk management capability on data privacy at a 6 or 7,the score would be 70%.Further details regarding the OnRisk methodology,how to use and leverage this report,and explanations of the Stages of Risk devel������oped in conjunction with the OnRisk
15、 approach can be found later in this report.www.theiia.org 04TOP RISKS,2022The 12 risks below,carefully selecte�����d from a wide assortm����ent of risks likely to affect organizations in 2022,were vetted through in-depth interviews with board members,executive management,and CAEs.Some of the risks included
16、are unchanged from OnRisk 2021,some have been updated,w������hile others have been added.For example,the 2021 risk for sustainability is broken out in 2022 to include Environmental Sustainability,Social Sustainability,and Organizational Governance.All of the risks in OnRisk 2022 should have universal appl
17、icability���� to organizations,regardless of size,industry,or type.Risks not included in this analysis may have particular relevance to some organizations,depending on t�����heir specific circumstances.The risks are presented in order of relevance,as rated by OnRisk 2022 respondents.CYBERSECURITY:The growing
������18、 sophistication and variety of cyberattacks continue to wreak havoc on organizations brands and reputations,often resulting in disastrous financial impacts.This risk e������xamines whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm.TAL
19、ENT MANAGEMENT:The increased need for and acceptance of remote operations,including working from home,as well as continued dynamic labor conditions,are redefining how work gets done.This risk examines����� the challenges organizations face in ide�����ntifying,acquiring,upskilling,and retaining the right talen
20、t to achieve their objectives.ORGANIZATIONAL GOVERNANCE:Governance encompasses all a�������spects of how an organization is directed and managed the system of rules,practices,processes,and controls by which it ��������operates.This risk examines whether organizations governance assists or hinders achievement of ob
21、jectives.DATA PRIVACY:The growing list of regulations from jurisdictions around the world is making data privacy increasingly complex and dynamic.This risk examines how organizations protect sensitive data in their c�����are and ensure compliance to all applicable laws and regulations.CULTURE:With an inc
22、reasing percentage of professional �������employees working remotely������� full or part time,organizations are challenged to maintain,enhance,or control their organizational culture.This risk examines whether organizations understand,monitor,and manage the tone,incentives,and actions that drive the desired behav
23、ior.ECONOMIC AND POL���ITICAL VOLATILITY:The ongoing impacts of the pandemic combined with the normal dynamics of macroeconomic cycles have the potential to create volatility in the markets in which orga nizations operate.This risk examines the challenges and uncertainties organizations face in a dynam
24、ic and poten tially volatile economic and political environment.CHANGE IN REGULATORY ENVIRONMENT:Fundamenta�����l changes in government appetite for regulation can have a significant impact on organizations,including those not considered heavily regulated.This risk examines the challenges organizations f
25、ace in a dynamic and ambiguous regulatory environment.SUPPLIER AND VENDOR MANAGEMENT:For an organizati������on to be successful,it has to maintain healthy and fruitful relationships with its external business partners and vendors.This risk examines organizations abilities to select and monitor third-party
26、 relat��������ionships.DISRUPTIVE INNOVATION:We are in an era of innovative business models,fueled by disruptive �������technologies.This risk examines whether organizations are prepared to adapt to and/or capitalize on disruption.SOCIAL SUSTAINABILITY:Increasingly,there is a recognition that organizations have si
27、gnificant influence on individuals who they employ,who work in their value chain,who consume their products and services,and who live in their communities.This risk examines the ability of organizations to understand and manage the direct and indirect impacts their������� actions have on individuals and co
28、mmunities.SUPPLY CHAIN DISRUPTION:The disruption to business-as-usual operations globally,rooted in the global pandemic,has highlighted the need �������for resilience in supply chains in support of organizations achievement of strategic objectives.This risk examines whether organizations have built in �����the
29、flexibility to adapt to current and future supply chain disruptions.ENVIRONMENTAL SUSTAINABILITY:Organizations are facing increased pressure from stakeholders,including shareholders,regulators,customers,and employees,to evaluate and disclose how they are impact�������ing the environment in which they opera
30、te.This risk examines the ability of organizations to reliably measure,evaluate,and accurately report on their������� environmental impacts.www.theiia.org 05KEY OBSERVATIONSThe qualitative interviews for OnRisk 2022 pro����vide a snapshot of how the principal drivers of risk management interact,which risks pos
31、e the greatest challenges to their organizations,and how alignment on risk managemen������t efforts impacts success.Analysis of the results identified six key observations that shed light not only into����� how risks are understood,but also how the ability to manage risk is perceived.In-depth examinations of t
32、hese observations are found later in this report.There are notable varia��������tions among risk management players on certain risks.Overall,the�������re is general alignment on organizational capability,risk relevance,and personal knowledge.However,there are noteworthy variations in several key risk areas.Signifi
33、cant gaps exist between risk relevance and organizational capability ratings on several risks.The gap between how ����risk management players rate risk relevance versus organizational capabilities is alarmingly wide for Talent Management,Disruptive Innovation,Data Privacy,Cybersecurity,and Culture.Risks
34、 to pay attention to going forward.Five risk areas emerged as top of mind for respondents:Cybersecurity,Talent Management,Culture,Disruptive Innovation,and Economic and Political Volatility.Of note,four of the five also had the largest gaps b�����etween risk relevance and organizational capabilities,sugg
35、esting risk players know where work needs to be done.Perceptions of risk relevance vary greatly across ESG components.While alignment among the th�����ree groups is relatively strong on these risks,Organizational Governance holds far greater rel������evance for respondents than do Social Sustainability and Env
36、ironmental Sustainability.The pandemic revealed opportunities t������o improve organizational risk management.COVID-19 may not have improved the ability to predict risks,but ������it increased confidence for many in reacting to risks.For others,it provided a wake-up call on how they manage risk and the added ch
37、allenges associated with managing risk in decentralized or siloed conditions.Senior executives and boards des������ire broader scope for internal audit services.Respondents feel that their current assurance services are adequate but suggest some improvements in assurance reporting.This offers an opportuni
38、ty to demonstrate the value of indep���endent assurance across a wider spectrum of risks.www.theiia.org 06KEY OBSERVATIONS EXPLAINEDThe six key observations are examined in depth in the following pages.As noted previously,the qualitative interviews for OnRisk 2022 were designed to elicit candid perspec
39、tives on the nature and understanding of ri����sk management through the eyes of its three principal drivers.The analysis and examination of those views reveal important insights into interactions and alignment among respondents and informative conclusions about how those interactions and alignments imp
40、act risk management.www.theiia.org 07NOTABLE VARIATIONS IN CAPABILITY AND RELEVANCE FOR CERTAIN RISKSWhile overall ratings from the three respondent gr������oups appear to refle�����ct general alignment,deeper analysis of organizational capability and risk relevance ratings for each group finds noteworthy vari
41、ations in several risk areas,particularly Disruptive Innovation.Senior executives tended to be more confident about organizational capability for most risk areas examined except for Disruptive Innovation,where just 2 in 10 respondents rate�������d capability as high(Figure 1).This created the largest varia
42、tion between two respondent groups on capability 23 percentage points between the C-suite and the board.Boards are not as confident as senior executives on their organizations capability to manage certain risks.For Talent Management and Environmental Sustainability,the capability rating w�����as 20 point
������43、s lower for board respondents compared to their C-suite counterparts.It was 13 points lower for Organizational Governance.Meanwhile,CAEs were less confident in their organizations ability to address Supplier and Vendor Management risk.Their ratings w�����ere 20 points lower than board respondents and 16
44、points lower than the C-suite.Note:OnRisk 2022 interview question:Overall,how capable is your company when it comes to handling enterprisewide risk?Respondents could choose a rating����� from a scale of 1 to 7,with 1 being the lowest(“not at all”)and 7 being the highest(“extremely”).Risk areas were sorte
45、d from highest to lowest average scores.n=90.Figure 1:ORGANIZATIONAL CAPABILITY RATINGS BY ROLE PER RISK AREAPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theiia.org 08Similar variations were noted in risk relevance ratings(Figure 2).Boards were ������significantly more li�������kely to rate Dis
46、ruptive Innovation as a highly relevant risk(77%)than were senior executives(50%).This 27-point ����variance was the greatest between any two respondent groups in the �������risk relevance ratings.Nearly every CAE(97%)rated cybersecurity as a highly relevant risk to their organization,but board respondents lag
47、ged by 10 percentage points(87%)and the C-suite lagged by 20 percentage points(77%).CAEs also were more likely to de-scribe Supplier and Vendor Management as highly relevant 17 points higher than the board and 10 points higher than the C-suite.A similar 17�������-point difference is noted between CAE and b
48、oard ratings for Economic and Political Volatility.Figure 2:RISK RELEVANCE RATINGS BY ROL�����E PER RISK AREAPercentage who gave a rating of 6 or 7 on a scale of 1 to 7Note:OnRisk 2022 interview question:How relevant are each of the following ris�����ks to your current organization?Respondents could choose a
49、rating from a scale of 1 to 7,with 1 being the lowest(“not at all”)and 7 being the highest(“extremely”).Risk areas were sorted from highest to lowest �������average scores.n=90.www.theiia.org 09SIGNIFICANT GAP IN RELEVANCE AND CAPABILITY RATINGS ON SEVERAL RISKSWh������ile some ratings variation among individual
50、 respondent groups was expected,an analysis of the combined ratings for the three respondent groups uncovered additional insights.The analysis identified large gaps between higher risk relevance and lower organizational capability in several areas.This Rel�������evance-Capability Gap reflects potentially s
51、ignificant risk management vulnerabilities.Chief among these is Cybersecurity,which continues to exasperate organizations large and small,public and private,for-profit and nonprofit.This ubiquitous and dynamic risk ������was rated as the most relevant by respondents,along with Talent Management(Figure 3).
52、Yet,on average,organizational capability lagged significa�����ntly.Large disparities also are noted for Talent Management,Disruptive Innovation,Culture,Data Privacy,and Economic and Political Volatility.For these risks,the relationship between relevance and capability varies.A highly relevant risk may be
53、 more difficult to manage because it is unpredictable and not easily controllable,due to,for example,external factors that may augment risk velocity����.This appears to be the case for three of t�������he six risks with the largest disparities:Cybersecurity,Disruptive Innovation,and Economic and Political Vola
54、�������tility.However,for Talent Management,Culture,and Data Privacy risks that can be managed internally through controls and processes the gaps may reflect more u�����ncertainty coming out of the pandemic rather than a lack of control.“As we have witnessed with the pipeline hack this year,these cybersecurity
55、attacks can have a huge trickle-down effect.All industries are susceptible to cybersecur������ity risk to some extent.”Board,ManufacturingFigure 3:AVERAGE RATINGS PER RISK AREAPercentage who gave a rating of 6 or 7 on a scale of 1 to 7PERSONAL KNOWLEDGE ORGANIZATIONAL CAPABILITY RISK RELEVANCENote:OnRisk
56、2022 interview questions:How knowledgeable are you about each of the following risks?How relevant are each of the following risk������s to your current organization?Overall,how capable is your company when it comes to handling enterprisewide risk?Respondents could choose a rating from a scale of 1 to 7,wi
57、th 1 being the lowest(“not at all”)and 7 being the highest(“extremely”).All respondents.n=90.www.theiia.org 10For example,the Relevance-Capability Gap for Talent Management may reflect uncertainty as organizations emerge from nearly 18 months of pandemic-induced isolation.This unease abo������ut workforce
58、 management ranges from the chal������lenge of devising effective return-to-work strategies to more profound changes in����� the employer/employee social contract.One healthcare C-suite executive credited the pandemic for an epiphany in this area.“The biggest thing on our minds right now is dealing with remote
59、 work and getting some of our employees back into the office,getting vaccinated,etc.The pandemic has definitely shown me that I was too rigid in my thought process in terms of remote work risk.”Respondents expressed different approaches to managin�������g risks that they cannot directly influence.For examp
60、le,one financial company board member noted regulatory change is one that is relevant and carefully monitored,but largely out of the or����ganizations control.“Change in regulatory environment,for example,is very important to us.Were very careful about the way that regulations affect us.Its hard to do,a
61、nd its not something anyone can really control.”Meanwhile,a board member at a different financ�����ial services company said the firm chooses����� to focus on what can be governed.“We pay attention to risks that we can control.There is an importance of understanding your market and competitors when considerin
62、g relevant risks that we might have less control over.”As noted earlier,ther�������e is general alignment in personal knowledge,organizational capability,and risk relevance ratings among the respondent groups.However,the variance between relevance and capability is clearly evident in average ratings assign
63、ed by each respondent group(Figure 3).RISKS TO PAY ATTENTION TO GOING FORWARDRespondents identified five risks they expect to increase in relevance in the next three to five years:Cybersecurity,Talent Management,Disr������uptive Innovation,Culture,and Economic and Political Volatility.Each of these fall i
64、nto risk areas identi������fied as having large Relevance-Capability Gaps.This concurrence could be viewed as troubling organizations have fallen far behind on their capabilities to manage future risks or encouraging risk players intuitively recognize capability weaknesses and understand they must act to
65、correct them.CYBERSECURITY:The 45-point Relevance-Capability Gap for Cybersecurity(see Figure 3)reflects the near-constant struggle to keep up with the evolving and vexing nature of cyber risks.Cyber hackers are constantly lookin����g for new weaknesses to exploit and novel ways to cash in on their crim
66、inal behavior.Ransomware and other denial-of-service typ������e attacks are growing in number and sophistication,and the consequences are having broader impacts,as reflected in the cyberattack that temporarily halted operations of a major U.S.oil distribution system in May of 2021.TALENT MANAGEMENT:Talent
67、 Management is expected to remain a top risk for the foreseeable future.At 46 points,this risk had the largest Relevance-Capabil����ity Gap of all risks examined this year,edging o�����ut Cybersecurity.Concerns about the pandemics impacts on the labor market and the traditional employer/employee social contr
68、act continue to keep this risk front and center in the minds of risk managers.As noted in OnRisk 2021,“This significant disruption to talent������ management,as well as its impact on morale,productivity,and workplace culture,will have both short-and long-term implications for organizations.”Two areas offe
69、red as evidence of potential disruption have quickly come to fruition.The work-from-home phenomenon fundame��������ntally changed how organizations recruit and manage talent.While having a majority of the workforce operating in remote settings posed significant immediate cha����llenges in technology,cybersecuri
70、ty,and logistics,it all but eliminated the limitation of geographic considerations when identifying and hiring the right talen����t.As one manufacturing C-suite executive noted,“Talent management might become more challenging with the different generational gaps now becoming emphasized in the workforce.
71、Where are we going to find the best talent?”www.theiia.org 11RISKS TO PAY ATTENTION TO GOING FORWARD(Continued)Yet,the work-from-home experiment also appears to have had a profound impact on attitudes about work/life balance among various������� parts of the labor force.According to a June 2021 article in
72、Forbes magazine1,expectations f�������or many have changed in the year spent working from home.For instance,the article notes evidence that many are reconsidering career paths,citing increases in law and medical school applications jumping 20%an�����d 18%,respectively.A growing number of employees are leaving t
73、heir job����s voluntarily.Dubbed“The Great Resignation,”this fallout from the pandemic promises to have long-term effects on the workforce.T�������he United States saw nearly 4 million people quit their jobs in April 2021 alone,according to U.S.Bureau of Labor Statistics data,the largest single-month spike on
74、record.Another 3.6 million left their jobs voluntarily in May.The phenomenon is not limited to the United States.2 According to t�����he BBC3,a Microsoft survey of more������� than 30,000 global workers showed that 41%of workers were considering quitting or changing professions this year.The same report found a
75、������ five-fol��������d increase in remote job postings on LinkedIn since the start of the pandemic and that more than 46%of workers say they plan to move because they feel they can now work remotely.4 As organizations focus on getting workers back into office settings,they should carefully weigh the tightening
76、labor market and how it relates to worker expectations in salaries,benefits,and work/life balance.CULTURE:The distributed������� workforce created by the pandemic is feeding significant concern about workplace culture.The Relevance-Capability Gap for this risk is 36 points.Building or sustaining a company
77、culture virtually poses significant challenges,and organizations now fa������ce the question of whether to return to pre-p������andemic work arrangements or find ways to adapt to greater percentages of offsite workers.The work-from-home experience has led to positive changes,including organizations witnessing i
78、ncreased trust,a flattening of hierarchies,and more rapid and agile decision-making.Yet,logistical challenges with communication,worker interaction,collaboration,fostering relationships,and consensus-building remain.Fundamental shifts in������ the employee/employer social contract(see section on talent ma
79、nagement)further complicate this vexing risk.ECONOMIC AND POLITICAL VOLATILITY:The continuing political and economic fallout from the pandemic drives this risk,pushing its Relevance-Capability Gap to 32 points.According to a July 2021 U.S.Congression�����al ������Research Service report,emergence from the pand
80、emic will be uneven globally,meaning continued economic volatility,particularly in developing countries.“The economic impact of the pandemic is expected to lessen in developed economies where vaccinations are facilitating a return to pre-pandemic levels of activity.I����n developing countries,however,ou
81、tbreaks of new viral variants could prolong the pandemic and dampen prospects of a recovery,”according to the report.Whats more,a resurgence of COVID�����-������19 cases brought on by new virus variants could prolong or create temporary setbacks in the recovery.51:Kreznar,Christian,“Employers,Dont Fear The Gre
82、at ResignationIts Already Here,”Forbes,June 3,2021.2:Economic News Release,“Table 4.Quits levels and rates by industry and region,seasonally adjusted,”U.S.Bureau of Labor Statistics,Washington,D.C.,https:/www.bls.gov/news.release/jolts.t04.htm3:Morgan,Kat�������e,“The Great Resignation:How employers drove
83、workers to quit,”BBC,July 1,2021.4:Microsoft 2021 Work Trend Index,https:/ Economic Effects of COVID-19,”U.S.Congressional Research Service,July 9,2021,Washingt�����on,D.C.“We all live culture,but understanding how to manage it and change it is a different beast altogether.”CAE,Finance“Th���������ings were a bree
84、ze until 2008-2009.Now 2020-2021 into 2022,were expecting a lot of volatilityI dont have strong feelings about where the economy is going,but were planning more now for major imp�������acts like product shortages,delays,disruptions like that.”C-suite,Financewww.theiia.org 12Historically,political volatilit
85、y has followed economic shocks,most recently in the wake of the 2007-2008 international financial crisis.In April,International Monetary Fund Managing Director Kristalina Georgieva warned that preexisting inequalit�����ies that have been exacerbated by the pandemic might lead not only to macroeconomic in
86、stability,but also greater polarization,the erosion of trust in governments,and growing social unrest.6DISRUPTIVE INNOVATION:Disruptive Innovation presents one of the greatest risk management���� challenges for organizations,which is reflected in the considerable misalignment between boards and the C-su
87、ite as it relates to risk relevance and organizational capability.This also �������contributes greatly to the overall 32-point gap between risk relevance and organizational capability for the combined respondent ratings.Frustratio��������n at the board level is evident.Some respondents recognize they are not prepa
88、red for managing such challenges,including one healthcare board member who said,“Were not innovative,change is very slow to happen.Everything is about bandaging a preparedness and ability to adapt is not there.”A retail boa�������rd member expressed frustration relating to not being able to see beyond the
89、risk horizon.“If we knew what the disruptive innovation would be,we would be working on it.But we dont know what is coming.”However,the movement among senior executives toward building organizations that are more nimble and responsive to fast-mo������ving and emerging risks could contribute to improvement
90、s in this risk area.The Netflix vs Blockbuster story provides a stark example of how recognizing and leveraging disruption can mean the difference between spectacular success and stunning failure.Blockbuster pioneered and dominated video re�������ntal services through a vast network of brick-and-mortar sto
91、res.Indeed,it dismissed an offer to merge with the Netflix mail-order video service in 2000.However,just six years later,Netflix dominated online video rentals,with 6.3 million subscribers compared to 2 million subscribers for Blockbuster.In 2008,Netflix l�������eadership again showed that it recognized ho
92、w technology co�������uld disrupt its business model significantly and responded.It signed a deal to stream movies for Starz,and by 2010,it held a 20%share of North American viewing traffic after signing additional deals with Sony,Paramount,Lionsgate,and Disney.That same year,Blockbuster filed for bankrupt
93、cy.6:Hammond,Andrew,“The world is facing even greater political upheaval in post-pandemic world,”Arab News,April 8,2021.www.thei�������ia.org 13PERCEPTIONS OF RISK RELEVANCE VARY GREATLY ACROSS ESG COMPONENTSOnRisk 2022 breaks out the three risk areas associated with ESG Environmental Sus��������tainability,Social
94、 Sustainability,and Organizational Governance.Respondent ratings and responses clearly indicate Organizational Governan������ce dominates over Social Sustainability and Environmental Sustainability in the minds of survey participants(Figure 4).In all three OnRisk measures personal knowledge,organizational
95、 capability,and risk relevance respondents rank Organizational Governance among the highest of all risks examined and well ahead of Social Sustainability and Environmental Sustainability risks.Figure 4:ESG MEASURE�������S COMPARING RELEVANCE,KNOWLEDGE,AND CAPABILITY TO ROLEPercentage who gave a rating of 6
96、 or 7 on a scale of 1 to 7 ORGANIZATIONAL GOVERNANCESOCIAL SUSTAINABILITYENVIRONMENTAL SUSTAINABILITYRISK RELEV������ANCEORGANIZATIONAL CAPABILITYPERSONAL K������NOWLEDGENote:OnRisk 2022 interview questions:How knowledgeable are you about each of the following risks?How relevant are each of the following risks
97、to your current organization?Over-all,how capable is yo����ur company when it comes to handling enterprisewide risk?Respondents could choose a rating from a scale of 1 to 7,with 1 being the lowest(“not at all”)and 7 being the highest(“extremely”).n=90.www.theiia.org 14This high ranking may be influenced
98、 by the broad relevance of Organizational Governance.Indeed,most organizations recogniz�������e the need and value of having strong risk controls across a spectrum �����of risks that affect the achievement of goals.It also may reflect often heroic and aligned efforts to respond to governance challenges created
99、by the pandemic and the need for strong leadership to overcome those challenges.Further,it indicates a growing awareness of the benefits of risk alignment among key risk management players,which supports stronger organizational gov������ernance.On�������e manufacturing C-suite executive linked alignment with suc
100、cess.“We came to the conclusion that we were aligned It showed how we are in line with most things,which I think helps us be successful.”Other co������mments reflect a growing awareness of the value of strong organizational governance and the dangers of weak governance:Advocates of corporate sustainabilit
101、y are quick to point to social and environmental sustainability being critical components to overall sound organizational governance.How�������ever,risk relevance rankings by OnRisk respondents did not reflect such clear associations.Indeed,Social Sustainability and Environmental Sustainability ranked in t
102、he bottom quartil��e in risk relevance.Despite widespread concern about climate change,fewer than half of respondents identified Environmental �������Sustainability as a highly relevant risk within their organizations.To be sure,comments from some respondents reflected a narrow scope of context relating to e
103、nvironmental sustainability.There has been growing awareness of�������� ESG risks as reflected in the growing number of organizations producing ESG reports and growing investor pressure for such reporting but changes appear as likely to be driven by short-term considerations versus fundamental recognition o
104、f sustainabilitys value.For example,Social Sustainability has become a focal poi������nt in the last 18 months due to global events and growing social activism,but Environmental Sustainability still lags.Respondents believe a mix of real and artificial change is occurring and most think their organization
105、 is driving real change.However,comments from some respondents reflect a mix of short-term consideration and parochial mindsets.One manufacturing C-suite executive associated the ESG movement more with marketing than with overall sustainability.“We have to ha�����ve enough awareness to get through the do
106、or,get this bid,and get the job,but so far it seems like more of a gimmick for customers than a real market driven desire.”How������ever,others understand the value of managing environmental impacts,including a healthcare industry board member who lamented that such considerations must compete with other
107、risks.“Most organizations want to have good environmental sustainabili�������ty policies,procedures,and programs,but it is not always front and center when dealing with������� all these other risks.”“For a lot of public companies,capability could be higher.Just look at some of the issues that ariseif everyone was
108、 really good at it,we wouldnt be seeing so much breakdown in the structures at public companies.”Board,Finance“Weve now created a separate risk committee amongst our board.This has helped us to end up with some great documents������� regarding our organizatio������ns handle on different risks.”Board,Finance“Peop
109、le at our work eat,drink,use the bathroom,but wer����e not producing toxins that they have to dump somewhere,so its not something that enters the conversation.-C-suite,Technology“How you plan for all of the other risks can be attributed to organizational governance.its extremely important and covers eve
110、rything.”C-suite,Manufacturing(See additional analysis of how the pandemic revealed opportunities to improve organizational risk management on page 19)www.theiia.org 15PERCEPTIONS OF RISK RELEVANCE VARY GREATLY ACROSS ESG COMPONENTS(Continued)Othe�������r respondents expressed a more expansive view and und
111、erstanding of how ESG components can work in concert withi������n an organization.Organization size and maturity also were cited as potential����� limits to managing ESG risks.Limited resources make ESG risks particularly those relating to E and S lower priorities.One C-suite executive from a nonprofit lamente
112、d,“I wish that we could be better with ESG,but its just not a priority.Were a small business,so thin����gs like cybersecurity,organizational ������governance take precedence and environmental and social sustainability take the backseat.Some organizations are fortunate enough to have a team dedicated to ESG or
113、 even an employee working on it,but were stretched too thin as it is.”The lack of clear direction or standards for measuring and reporting ������ESG also was cited as a deterrent.According to one finance CAE,“Having some sort of measurement for �����ESG would help to drive real change.You need to be taken acco
114、untable and show that real things are happening,and then also document and report on what is happening.”However,a man�����ufacturing industry CAE believes that companies that focus too much on reporting are missing the real benefit of ESG risk management.“The problem is that companies focused on reportin
115、g could be more artificial they could be just checking the box,putting out reports to say they did it so that their stakeholders are happy.There needs to be more initiatives and a����ctual activity occurring.”PANDEMIC������� REVEALED OPPORTUNITIES TO IMPROVE ORGANIZATIONAL RISK MANAGEMENTCOVID-19 forced most o
116、rganizations to focus to some degree on how risk management efforts are aligned across their organizations.The pandemic may not have improved their ability to predict risks,but it increased confidence for many in reacting to ris�����ks.For some,it provided an opportunity to assess or reassess resilience.
117、For others,it provided a wake-up call on how they manage risk and the dange�����rs of decentralized or siloed conditions.One no������nprofit board member described how the pandemic proved to be eye-opening.“It has made us aware that there are scenarios that might happen in the future that we have to manage,and
118、 now were hyper aware of shortfalls of our risk approach.”A retail industry board member,meanwhile,saw the good and bad in the pandemic-induced introspection.“It showed us that we werent really good at predicting risk,but I thi�����nk we reacted very well.It made us aware of scenarios that might happen i
119、n the future and how we will handle them.”“Sustainability is going to be an absolute imperative in order to preserve,maintain,and grow wealth.This is like any other i�������nvestment in business.These investments need to be made in order������� to protect and sustain the value thats being created.”Board,Finance“W
120、e need to have leaders that are open-minded to social sustainability change,that are willing to change and put in the work,or else change isnt going to happen.”CAE,Educationwww.theiia.org 16www.theiia.or������g 17PANDEMIC REVEALED OPPORTUNITIES TO IMPROVE ORGANIZATIONAL RISK MANAGEMENT(Continued)OnRisk re
121、spondents also expressed concerns about alignment with third-party providers and partners.According to one education CAE,“There is the concern that third parties are not aligned on objectives,reporting,espec������ially with risks like cybersecurity.Organizations should improve how they monitor third-party
122、 agreements,contract management,relationship buildinga lot of time theyre just getting it done,and not reflecting.”As the world slowly emerges from more than a year of shuttered economies,homebound workforces,strained or disrupted supply lines,and sobering death tolls that top ��������4 million globally,ear
123、ly fo������cus on post-COVID-19 risk���� management appears to be primarily short-term concerns.“It definitely has impacted our perspective when it comes to risk.But I dont think we have any concrete plans in place to change our risk strategy or anything long term yet.Were focusing on getting our hybrid syste
124、m set up and maintaining the health and safety of our employees,”said one government sector CAE.Meanw���hile,one technology C-suite executive described the struggle to simply keep������� the doors open.“Were still in survival modewe havent thought about permanent impacts of the pandemic.We never thought this
125、would happen,so were just trying to get by.”For some,the pandemic offered a valuable lesson about how risks manifest across ������the organization.“COVID has taught us that we����� need to be more centralized and have an overarching strategy and guidance in place when it comes to risk management,”said one educ
126、ation sector CAE.The complexity and dynamics of post-COVID-19 employer/employee relationships ranked high for many OnRisk respondents.The pandemic highlighted the importance of managing talent and culture.According to one real estate senior executive,“Our worry i������������s about losing the culture with the n
127、ew people.They never really got to experience culture because they go right from being hired to working from home.”Long-term planning sessions are not top of mind for many,but respondents say they will focus more on cont������ingency plans down the line.“The reality is that most companies dont have contin
128、gency plans at all.Now companies are going to have to work toward understanding contingency plans and the importance of assigning teams and positions to handle unexpected risk,”said one municipal board member.SENIOR EXECUTIVES AND BOARDS DESIRE BROADER S�������COPE FOR INTERNAL AUDIT SERVICESFor many organ
129、izations,the COVID-19 experience raised awareness of not just the value of risk management alignment among key playe���������rs,but also of the potential to leverage risk assurance beyond financial and compliance risks.OnRisk respondents expressed growing �������interest in expanded assurance over operational and e
130、nterprise risk,as wel������l as the need to proactively address risks.These developments point to opportunities to leverage internal audit services even more,particularly in highly relevant risk areas such as Cybersecurity,Talent Management,and Organizational Governance.Overall,respondents feel that their
131、 current assurance services are adequate but suggest some improvements in assurance reporting.“There was a time where w������e were misaligned because the auditor was focused on financial risks and not enterprise risk.An organization needs to cover both.”C-suite,Healthcarewww.theiia.org 18As understanding
132、 and apprec������iation of enterprise risk management grows,so do demands on internal audit to expand its scope,identify shortfalls in risk coverage,monitor emerging risks,report clearly and concisely to stakeholders,and employ gre����ater use of technology to provide robust risk management assurance.One reta
133、il industry board member said its time to broaden how internal audit is viewed within organizations.“Some people think that internal audit is too reac������tive and just dependent on the current needs at the moment.I think its good to have internal audit thinking about the process,getting ahead,and identi
134、fying gaps.”A technology C-suite executive called on internal audit to expand its services to cover emerging risk areas.“C�����urrently,our internal audit doesnt hit on some of these risks like environmental sustainability and change in regulatory environment.”�����Not all respondents feel internal audit is c
135、ritical to adequate risk management assurance.According to one information technolo������gy C-suite execu������tive,“We dont have internal audit,but we have external audit,and I believe it is adequate for what we need.”While some organizations rely exclusively on external audit for risk management assurance,the
136、re are inherent risks in this myopic approach.Relying on risk management assurance from external audit,which historically primarily focuses on financial reporting and compliance,is in itself risky.One technology C-suite executive articulate�������d a more sophisticated approach to risk manage����ment,which add
137、s needed perspective:“We have a formal ERM process,with a person that leads annual revi������ews for the entire organization.Risks get rated,gaps get identified,and then the likelihood and significance as well as tolerance is determined.Two hundred risks are assessed and grouped together in different cate
138、gories.I think because we������� have this process and our audit function is so tuned-in to risk,we have sufficient assurance.”OnRisk respondents said they want to see more consistency in assurance reporting,as well as better ways to communicate findings,including more da�����ta and analysis and tailored detail
139、 based on audience.One financial industry board member stressed the need to effectively present relevant and actionable risk information,“Some risk repor������ts are maybe too detailed,which makes it difficult for extracting insights.Detail is good,but there should be summaries of relevant info for stakeh
140、olders,board members,etc.”Additionally,internal audit must demonstrate its ability to execute and add value during crises.According to one manufacturing C-suite executive,“I think of the fire drill analogy.Its easy to walk out calmly,single file,when you know theres no fir����e.Would we behave exactly a
141、s we did in real life?”“You cannot do things aloneyou have to have partnerships,that is how everybody succeeds.Rather than reporting and managing in silos,you should be consistent across the organization.”CAE,GovernmentCAE respondents to the OnRisk survey recognize the opportunity a������nd need for inter
142、nal audit to improve:“We need to determine key risk indicators,measure those,reflect,re-address,re-reportits a cycle.”CAE,Technology“Theres always room for improvement in building more data analytics and assessing ri�������sk with more factual data.”CAE,Financewww.theiia.org 19INSIGHTS AND ACTIONS BOARDThe
143、 wisdom of board members expanding their personal knowledge of risks beyond financial�������� and compliance issues has never been more evident.Swift technological changes,disruptive innovation,dynamics of organizational governance,the pandemic,and its resulting econ�����omic and political shocks provide ample i
144、mpetus for board mem-bers to expand how they view���� their risk management role.In the coming year,boards should:IMPROVE THEIR KNOWLEDGE OF ECONOMIC AND POLITICAL VOLATILITY.As noted earlier,this risk area could have profound long-term impacts that could reshape how business is done.(See“Risks to pay a
145、ttention to going forward Economic and Political Volatility”on page 12).Board members should develop an understanding of how volatility in both the economy and politics could impact how t�����heir organi����zations operate.Boards should consider directing executive management to include volatility scenarios
146、in crisis management plans and test such scenarios and responses.PUSH EXECUTIVE MANAGEMENT AND INTERNAL AUDIT ON ESG RISK MANAGEMENT.Organizations should prepare for enhanced regulatory requirements and/or investor expectatio������ns on ESG reporting.The U.S.Securities and Exchange Co������mmission and other re
147、gulators have clearly signaled intere�����st in greater regulation in ������this area.Beyond ESG reporting,boards should push for an enterprisewide approach to managing ESG risks.Request an ESG risk assessment for the organization.Ask executive management what frameworks are used to determine adequacy of the o
148、rganizations ESG r������eporting.Ask internal audit to perform assurance or advisory services such as those relating to assessing the design and operating effectiveness of supporting ESG controls.PUSH FOR MORE INFORMATION ABOUT CULTURE AND TALENT MANAGEMENT.Consider asking for an independent assessment of
149、 the organizational culture.Demand that executive management keep t�����he board apprised of relevant talent management decisions ������and changes resulting from the pandemic.EMPHASIZE THE IMPORTANCE OF ORGANIZATIONAL GOVERNANCE.Continually and consistently emphasize the importance of risk alignment among key
150、 risk management players.Reject siloed or decentralized approaches to risk management.Promote internal audits role in providing independent assuranc������e over this risk area.www.theiia.org 20www.theiia.org 21INSIGHTS AND ACTIONS C-SUITEExecutive management faces a myriad of risk management c��������hallenges co
151、mplicated by the 18-month battle against COVID-19.From business continuity and crisis management to long-term implications on talent manage-ment and culture,the impacts of the pandemic will have long,lingering effects on risks and risk management.In the coming������ year,executive management should:��������BEEF U
152、P ITS KNOWLEDGE OF ECONOMIC AND POLITICAL VOLATILITY.As noted earlier,this risk area could have profound long-term impacts that could reshape how business is done.(See“Risks to pay attention to going forward Economic and Political Volatility”on page 1����2).BUILD AND PLAN TO MATURE PROCESSES AND CONTROL
153、S AROUND ESG REPORTING.Leverage internal audits understanding of enterprise risk management and proven risk frameworks to help build effective ESG internal controls.Dont wait for external auditors to give guidance or wait �����for regulators to establish rules.Direct internal audit to provide assurance o
154、n the effectiveness of existing ESG controls,particularly as they relate to ESG reporting.PROACTIVELY EDUCATE BOARDS ON TALENT MANAGE�������MENT AND CULTURE.Carefully implement and measure relevant talent management decisions,such as work arrangement preferences,and their effect on employee morale,producti
155、vity,and retention efforts.Obtain internal audits input on ret��������urn-to-workplace plans and related range of risks,including impact to culture.www.theiia.org 22INSIGHTS AND ACTIONS CAEsIn the midst of one of the most volatile and dynamic periods in a century,stakeholders are signaling the need for grea
156、ter assurance on risk management.Internal audit must respond.In the �������coming year,CAEs should:ANTICIPATE EMERGING ESG REPORTING REQUIREMENTS.Get ahead of any new requirements by understanding processes and controls in their own organization.Advocate for adoption of established sustainability framework
157、s.Leverage COSOs Internal Control Integrated �����Framework to begin evaluation of controls around non-financial reporting.IMPROVE THEIR KNOWLEDGE OF ORGANIZATIONAL RISK AREAS WITH HIGH RELEVANCE-CAPABILITY GAPS.Identify any risk on the OnRisk list or company list where personal knowledge falls below a H
158、IGH rating.ACT AS A CONDUIT BETWEEN BOARD AND EXECUTIVE MANAGEMENT WHEREVER MISALIGNMENT EXISTS.Perfor������m organizational risk analysis,leveraging the OnRisk methodology.Determine alignment on risk areas that are most relevant for the organization.Concisely share rel������evant highlights from OnRisk 2022 wi
159、th the board and executive management to foster������ dialogue on how the examined risks relate to their organization.SUPPORT GREATER FOCUS ON CULTURE AND TALENT MANAGEMENT RISKS.Be cognizant of potential misalignment as the organization transitions to a post-pandemic world.Provide assurance or advisory s
160、ervices related to Culture or Talent Management�������.For example,support board or executive management in the analysis of data resulti�����ng from employee surveys,exit interviews,or diversity and inclusion initiatives.www.theiia.org 23METHODOLOGY Qualitative surveys measure organization alignmentThe OnRisk 2
161、022 report continues The IIAs groundbreaking approac������h in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success.The qualitative research provides a robust look at the top risks facing organizations in 2022.T�����he report presents both obj
162、ective data analysis and subjective insights based on responses from risk management leaders.The qualitative survey is based on a total of 90 in-depth interviews with professionals in North American(U.S.and Canada)boardrooms,C-suites,and internal����� audit functions.The respondents came from 90 differen
163、t organizations.As part of the interviews,respondents were asked to evaluate 1��������2 key risks on three scales:Their personal awareness and knowledge of each risk,their perception of their organizations capability to address each risk,and their views of the relevance of eac�����h risk to their organization.Th
164、e ratings were based on a seven-point scale,with“Not at all knowledgeable,”“Extremely incapable”and“Not at all relevant”being the lowest ratings(1)and“Extremely knowledgeable,”“Extremely capable”and“Extremely relevant”bei�����ng the highest ratings(7).The combined responses for the knowledge and capabili
165、ty �����ratings were then used to plot the position of each respondent group for each risk,where the X axis delineates perceived organizational capability,and the Y axis delineates personal knowledge of the risk(Figure 5).The triangle created by connecting each plot point offers a graphical depiction of
166、alignment for each risk.Percentage who ga������ve a rating of 6 or 7 on a scale 1 to 7Figure 5:KNOWLEDGE AND CAPABILITY ALIGNMENT www.theiia.org 24HOW TO USE THIS REPORTExplanation of graphicsBased on in-depth intervi�������ews with 90 professionals,the personal knowledge and organizational capabilities of each
167、of the three respondent groups were measured an�������d plotted for each risk.The simple quadrant mapping provides an effective and consistent tool to reflect those views(Figure 6).The four quadrants of the graph correspond to the magnitude of each of the two measures.For example,responses with a high aver
168、age in knowledge and capability would be plotted in the top right quadrant.Conversely,responses with a low average for knowledge and capability would be plotted in the lower left quadrant.As described earlier,the averages are determined ba�����sed on the percentage of respondents who provided a top 2 ans
169、wer for each rating.(See“The OnRisk Approach”on page 4).Position plottingPositions for each of the three respondent groups are plot������ted on the quadrant map not only to identify the rela������tive knowledge and capability on each risk,but also to graphically illustrate any misalign-ment among the groups tha
170、t may exist.The resulting triangles referred to ���simply as alignment triangles in this report provide a strong indicator of how well a risk is understood and managed.The size,shape,and location of each triangle also provides insights o����n what is driving any misalignment(See related sidebar).Risk Relev
171、ance graphicEach respondent groups rating on risk relevance is plotted on a single axis,providing a clear depiction of variations in the risk relevance rankings by board members,C-suite,and CAEs(Figure 7).Alignment Triang�����les:What do they mean?The alignment triangles created by plotting each responde
172、nt groups perspectives on each risk offer insights into how the risk is curre�������ntly being managed.The shape of each triangle can provide valuable information,as well.SHORT AND NARROWTriangles with this basic shape suggest strong alignment on what each group knows about a risk,but significant disagreem
173、ent by one respondent group about the org��������anizations capability for addressing the risk.TALL AND NARROWConversely,triangles with this basic shape suggest significant range of knowledge among respondent groups,but strong alignment on their views on organizational capability.SHORT AND BROADThis basic s
174、hape suggests disagreement by more than one respondent group,with the most significant disagreement relating to the organizations capability to address the risk.TALL AND BROADThis basic shape suggests misalignment by more than ������one respondent group,with significant disagreement on both knowledge and
175、capability.SMALL AND SYMMETRICALThis shape s�������uggests stron�����g alignment of all three respondent groups on knowledge and capability.Depending on the location of the triangle,this could reflect a risk that is well understood and managed(top right quadrant)or one that is not well understood or managed(low
176、er left quadrant).Percentage who gave a rating of 6 or����� 7 on a scale of 1 to 7Figure 7:RISK RELEVANCE RATINGFigure 6:KNOWLEDGE AND C�������APABILITYQUADRANTS PERSONAL KNOWLEDGEORGANIZATIONAL CAPABILITY77%Board CAEC-suite70%www.theiia.org 25RISK STAGES MODELIn todays dynamic,technology-driven world,risks can
177、 em�������erge and mature,sometimes at breakneck speeds.The risks discussed in this report are grouped into one of four stages Recognize,Explore,Develop,or Maintain as they relate to the potential impact on organizations and what actions organizations should be taking to address them.The Risk Stages Model(
178、Figure 8)reflects how risk management evolves within the organization on the same scale as the risk rankings Person�������al Knowledge and Organizational Capability.Additionally,the relevance of each risk should be understood as unique to each organization.Where each risk ranks in relevance depends on vari
179、ous factors,including th������e organizations size,industry,and type,as well as competition,maturity,position in the marketplace,supply chain,liquidity,and others.As noted earlier,there are likely risks not included in this analysis that have particular relevance to some organizations depending on their s
180、pecific circumstances.Because of this unique aspect,risk relevance is not depicted in the Stages of Risk.Stages of Risk ExplanationRECOGNIZEA risk is perceived as emerging and knowledge of the risk among stakeholders is low.Risk response strategies are not implemented or are not assumed to be eff�������ect
181、ively designed given the low understanding of the underlying risk.Monitoring processes have not been contemplated.Inherent risk levels are not well understood.Per�����sonal Knowledge LowOrganizational Capability LowEXPLOREKnowledge of the risk is growing among some stakeholders,but not by all.The risk ma
182、y be perceived as emerging or dynamic.Risk response strategies have been contemplated,but not fully implemented.Monitor-ing processes have not been contemplated or are not implemented�������.Inherent risk levels are generally understood.Personal Knowledge Mid to HighOrganizational Capability LowDEVELOPRisk
183、 knowledge is high,at least with executive management teams.Risk response strategies������ may be developed or in p����rocess of being implemented.Monitoring processes may be in contemplation but are not likely to have been fully implemented.Residual risk is generally understood.Personal Knowledge Mid to High
184、Organizational Capability Low to HighMAINTAINRisk is well understood by all relevant stakeholders and is not perceived to be changing significantly.Risk response strategies have been developed and implemented consistent with the perceived����� relevance of the risk.Monitoring processes are utilized to en
185、sure risk response strategies are operating effectively as designed.Residual risk levels are understood and believed to be at an acceptable le������vel for the organization.Personal Knowledge HighOrganizational Capability HighFigure 8:RISK STAGES MODELwww.theiia.org 26www.theiia.org 27RISKSTHEThis section
186、 examines key observations related to individual risks.Each risk page provides a risk definition and brief overview based on the qualitative interviews;maps alignment among key risk management players on personal knowl�������edge,organizational������ capability,and relevance;shares insightful quotes from intervi
187、ewees on the risk;and identifies changes in the developmental stages of each risk from the previous year,where applicable.www.theiia.org 28www.theiia.�������������org 29THE RISKSCYBERSECURITY Definition:The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations brands and rep
188、utations,often result�������ing in disastrous financial impacts.T�����his risk examines whether organizations are sufficiently prepared to manage cyber threats that could cause disruption and reputational harm.Analysis:Nearly all respondents see Cybersecurity as being highly relevant to their organization.Howev
189、er,personal knowledge of this highly impactful risk remains particularly ����low amongst all players,particularly CAEs.This low level of knowledge likely stems from the ever-evolving nature of cyber threats.Overall,a low percentage of respondents across all gr������oups rated the capability of their organizat
190、ions to manage Cybersecurity as high.In particular,few board members perceive their organization as being highly capable of managing Cybersecurity.Quotes:“Cybersecurity risk is an ever-evolving risk.The archi��������tecture and planning processes that have been used to deal with cybersecurity have become mo
191、re complex as technology has become more prevalent.”Board,Finance“As we have witnessed with the pipeline hack ����this year,these cybersecurity attacks can have a huge trickle-down effect.All industries are susceptible to cybersecurity risk to some extent.”Board,ManufacturingRISK STAGEKNOWLEDGE AND CAPA
192、BILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7RISK RELEVA������NCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 CybersecurityRemained in Develop77%BoardCAEC-su�������ite87%97%www.theiia.org 30THE RISKSDefinition:The increased need for and acceptance of remote oper-ations,includin
193、g working from home,as well as continued dynamic labor conditions ar�����e redefining how work gets done.This risk examines the challenges organizations face in identifying,acquiring,upskilling,and retaining the right talent to achieve their objectives.Analysis:Despite all key management players seeing T
194、alent Management as one of the most relevant risks to the�������ir organizations,perceptions of both personal knowledge and������ organizational capability remain relatively low for board members and CAEs.Senior executive perceptions of their personal knowledge and their organizations capabilities in this space
195、are much higher.Quotes:“Companies are working so hard to surviveall strategies are out the window.When you dont get to see employees face-to-face,its challenging.”Board,Government“Hiring in this remote environment has allowed us to consider hiring without a geogra������phic limitation.The question we are
196、now asking ourselves is;do we hire a higher quality candidate to work fully remote,or do we hire a les����ser candidate who is able to come into the office?”CAE,AutomotiveRISK STAGEKNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1�������� to 7RISK RELEVANCEPercentage who gave a rati
197、ng of 6 or 7 on a scale of 1 to 7 Talent ManagementMoved from Explore to Develop83%BoardCAEC-suite87%90%TALENTMANAGEMENTwww.theiia.org 3130ORGANIZATIONALGOVERNANCETHE RISKSDefinition:Governance encompasses all aspects of how an organization is directed and managed and the system of rules,pr���actices,p
198、rocesses,and controls by which it operates.This risk examines whether organizations governance assists or hinders achieveme�����nt of objectives.Analysis:Personal knowledge is high across all three risk manage-ment players of this relatively mature risk,which is widely regarded as highly relevant.However
199、,significant misalign-ment exists on organizational capability to manage this important component of ESG.Fewer board members than senior executives rated their organizations as having high organizational �����capability for this risk area.Quotes:“How you plan for all of the other risks can be attributed
200、to organizational governance.its extremely important and covers everything.”C-suite,Manufacturing“For a lot of public companies,capability could be higher.Just look at some of the issues that ariseif everyone �������was really good at it,we wouldnt be������ seeing so much breakdown in the structures at public co
201、mpanies.”Board,Finance RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Organizational GovernanceRISK STAGERemained in Maintain83%BoardCAEC-suite80%70%KNOWLEDGE AND CAPABILITYPercentage who gave a rati�������ng of 6 or 7 on a scale of 1 to 7www.theiia.org 32DATA PRIVACYTHE RISKSDef
202、inition:The growing list of regulations from jurisdictions around t������he world is making Data Privacy increasingly complex and dynamic.This risk examines how organizations protect sensitive data in their care and ensure compliance to all applicable laws and regulations.Analysis:Despite having lower per
203、sonal knowledge and lower perceptions of organizational relevance of this increasingl������y regulated risk,members of the C-suite have a higher per-ception of organizational capability than do either board members or CAEs.Quotes:“Its critical to have procedures in place to analyze,collect,and store data
204、that are common practices throughout the organi����zation.”CAE,Government“I hear a ton about data privacy compared to 10 years ago,and I think it will grow in importance.”C-suite,Healthcare RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Data Privacy70%Board CAEC-suite77%RISK S
205、TAGEDevelop-New to OnRiskKNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of �������1 to 7www.theiia.org 33www.theiia.org 34CULTURETHE RISKSDefinition:With an increasing percentage of professional employ-ees working remotely full or part-time,organizati��������ons are challenged to maintai
206、n,enhance,or control their organi-zation�����al culture.This risk examines whether organizations understand,monitor,and manage the tone,incentives,and actions that drive the desired behavior.Analysis:There is strong alignment across all key risk management players regarding the relevance of Culture to or
207、ganizational success.However,a gap exists between the number of board members who have high personal knowledge of thi�������s risk and senior executives who do.Similarly,fewer board members perceive their organizations as having a high capability to manage this risk,which is increasingly important to organ
208、izations as they emerge from the global pandemic.Quotes:“We all live culture,but understanding how ������to manage it and change it is a different beast altogether.”CAE,Finance“Our worry is about losing the culture with the new people.They never really got to experience culture because they go right from
209、being hired to working from home.”C-suite,Real Estate RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Culture�����70%CAE Board C-suiteRISK STAGERemained in DevelopKNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theii������a.org 35ECONOMIC AND POL
210、ITICAL VOLATILITYTHE RISKSDefinition:The ongoing impacts of the p�������andemic combined with the normal dynamics of macroeconomic cycles have the potential to ��������create volatility in the markets in which orga-nizations operate.This risk examines the challenges and uncertainties organizations face in a dynami
211、c and poten-tially volatile economic and political environment.Analysis:Overall,there is fairly strong alignment among executive management,board members,and chief audit executives across risk relevance,personal knowledge,and organiza��������-tional capability.However,while more than two-thirds of all respo
212、ndents saw the potential effects resulting from Economic and Political Volatility as havi������ng a high impact on their organizations,personal knowledge surrounding this risk and perceptions of organizational capability remain relatively low.Quote:“Things were a breeze until 2008-2009.Now������� 2020-2021 into
213、2022,were expecting a lot of volatilityI dont have strong feelings about whe����re the economy is going,but were planning more now for major impacts like product shortages,delays,disruptions like that.”C-suite,Finance RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Economical a
214、nd Political VolatilityRISK STAGERemained in DevelopBoardC-suiteCAE63%67%����80%KNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theiia.org 36CHANGE IN REGULATORY ENVIRONMENTTHE RISKSDefinition:Fundamental changes in government appetite for reg-ulation can have a si
215、gnificant impact on organizations,including those not considered heavily regulated.This risk examines the ��������challenges organizations face in a dynamic and ambiguous regulatory environment.Analysis:Despite general alignment on the increasing risk rele-vance of a changing regulatory environment,personal
216、 knowledge related to this risk is low,particularly for chief audit executives and C-suite.While pe������rsonal knowledge is higher for this risk among board members,it is still lower than several other risks.Board members are somewhat more confident in the ability of their organizations to manage this im
217、portant risk.Quo���tes:“This could be a big issue for us and there is a real risk here.It is important for folks������� to keep their eyes on changing regulations.”CAE,Finance“A lot of companies are reluctant to take a step forward unless forced to.”C-suite,Healthcare RISK RELEVANCEPercentage who gave a ratin
218、g of 6 or 7 on a scale of 1 to 7 Change in Regulatory EnvironmentBoardCAE C-suite67��%73%RISK STAGEDevelop New to OnRiskKNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theiia.org 37SUPPLIER AND VENDOR MANAGEMENTTHE RISKSDefinition:For an organization to be succes
219、sful,it has to maintain healthy and fruitful relationships with its external business partners and vendors.This risk examines organizations abilities to select and monitor third-party relationships.Analysis:While more C�������AEs have high personal knowledge of this critical risk in an increasingly interco
220、nnected business environment,fewer perceive their organizations as having a high capability to manage this risk.This gap between CAEs and their stakeholders may be driven by a higher���� percentage of CAEs viewing this risk as being highly relevant to their organizations,likely stemming ���from publicly re
221、ported c������yber threats,compliance-related issues,and other disruptive events arising from third-party relationships.Quotes:“The challenge is how do������� we keep this relationship with these long-time vendors,and at the same time how do we go out and find what we need if that vendor cannot provide it.”C-sui
222、te,Manufacturing“Our organization has really strong relationshipsbut I gave it a lower capability score because data privacy,protection,cy������bersecuritythose things are harder to mana������ge with our suppliers.”CAE,Technology RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Supplier
223、 and Vendor ManagementRISK STAGEMoved from Explore to DevelopBoardC-suiteCAE60%67%77%KNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of������ 1 to 7www.theiia.org 38DISRUPTIVE INNOVATIONTHE RISKSDefinition:We are in an era of innovative business models,fueled by disruptive techno
224、logies.This risk examines whether organizations are prepared to adapt to and/or capitalize on disruption.Analysis:There is a fairly wide gap between the percentage of board members who see this ����risk as highly relevant compared to C-suite executives who do.Further,more board members perceive their pe
225、rsonal knowledge of ������this very important risk as being high.However,board members may be overconfident in organizations capa-bility to manage Disruptive Innovation as more board members see their organizations as having high capability to manage this risk than������� do members of the C-suite.Quotes:“Its a
226、matter of �����awareness and researchsome innovations come and go but others hang around,like cryptocurrency.”C-suite,Nonprofit“Were not innovative,change is very slow to happen.Everything is about bandaging a preparedness and ability to adapt is not there.”Board,Healthcare RISK RELEVANCEPercentage���� who g
227、ave a rating of 6 or 7 on a scale of 1 to 7 Disrupti�����ve InnovationRI�������SK STAGERemained in RecognizeBoardC-suiteCAE77%50%63%KNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theiia.org 39SOCIAL SUSTAINABILITYTHE RISKSDefinition:Increasingly,there is a recognition tha
228、t organizations have ������significant influence on individual�������s who they employ,who work in their value chain,who consume their products and services,and who live in their communities.This risk examines the ability of organizations to understand and manage the direct and indirect impacts their actions hav
229、e on individuals and communities.Analysis:Among the key risk management players,there is very strong al������ignment on the risk relevance and perception of organizational capability for this fast-emerging risk that touches all industries.However,the CAE group significantly lags behind its st������akeholder gro
230、ups related to personal knowledge of this risk.Quote:“S������ustainability is going to be an absolute imperative in order to preserve,maintain,and grow wealth.This is like any other investment in business.These investments need to be made in order to protect and sustain the value thats being created.”Boar
231、d,Finance RISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Social SustainabilityRISK STAGEDevelop New to OnRiskBoardC-suit�����eCAE60%63%KNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.theiia.org 40SUPPLY CHAIN DISRUPTIONTHE RISKSDefinition:
232、The disruption to business-as-usual operations globally,rooted in the global pandem����ic,has highlighted the need for resilience in supply chains in support of organizations achievement of strategic objectives.This risk examines whether organizations have built in the flexibility to adapt to current an
233、d future supply chain disruptions.Analysis:There is strong alignment among board members and senior executives with regard to the risk relevance of Supply Chain Disruption,with slightly more than������� half of these stakeholders seeing it as a highly relevant risk to their organizations.The CAE group lags
234、 behind in personal knowledge of th������is increasingly important risk in the global economy,which may be a result of fewer CAEs seeing this risk ��������as highly relevant to their organizations.Quotes:“Borders closing down,and things like the Suez Canal getting plugged up have made us more in tune with supply
235、chain issues.”CAE,Finance “It used to just be what we thought abou�����t when we pulled up to the gas pump now its of importance across many industries.”Board,FinanceRISK RELEVANCEPercen����tage who gave a rating of 6 or 7 on a scale of 1 to 7 Supply Chain DisruptionRISK STAGEExplore New to OnRiskBoardC-suit
236、eCAE53%57%43%KNOWLEDGE AND CAPABILITYPercentage who gave a rating of 6 or 7 on a scale of 1 to 7www.t�����heiia.org 41ENVIRONMENTAL SUST��������AINABILITYTHE RISKSDefinition:Organizations are facing increased pressure from stakeholders,including shareholders,regulators,customers,and employees,to evaluate and dis
237、close how they are impacting the environment in which they operate.This risk examines the ability o������f organizations to reliably measure,evaluate,and accurately report on their environmental impacts.Analysis:While there is fairly strong alignment in this area,relatively few respondents,particularly se
238、nior executives,see this quickly emerging risk as one that could be highly relevant to their organizations.Personal knowledge across all groups was also quite low.Fewer board members believe that their organizations have high capability to manage Enviro�����nmental Sustainability risks.Quotes:“There is t
239、he issue of measurement for every organ�����ization.Theres a lack of standardized measurement and reporting in this area which creates confusion.”CAE,Healthcare “Most organizations want to have good environmental sustainability policies,procedures,and programs,but it is not always front and center when d
240、ealing with all these other risks.”Board,HealthcareRISK RELEVANCEPercentage who gave a rating of 6 or 7 on a scale of 1 to 7 Environmental SustainabilityRISK STAGEDevelop New to OnRiskBoardC-suiteCAE40%50%KNOWLEDGE��� AND CAPABILITYPercentage who gave a rat������ing of 6 or 7 on a scale of 1 to 7www.theiia.o
241、rg 42www.theiia.org 43About The IIAThe Institute of Internal Auditors(IIA)is the internal audit professions most widely recognized advocate,educator,and provider of standa������rds,�������guidance,and certifications.Established in 1941,The IIA today serves more than 200,000 members from more than 170 countries a
242、nd territories.The associations global headquarters is in Lake Mary,Fla.,USA.For more information,visit www.globaliia.org.DisclaimerThe IIA publishes this document for informational and educati��������onal purposes.This material is not intended to provide def����initive answers to specific individual circumstan
243、ces and as such is only intended to be used as a guide.The IIA recommends seeking independent expert advice relating directly to any specific situation.The IIA accepts no responsibility for anyone placing sole reliance on this material.CopyrightCopyright �������2021 The Institute of Internal Auditors,Inc.All rights reserved.For permission to reproduce,please contact copyrighttheiia.org.Global HeadquartersThe Institute of Internal Auditors1035 Greenwood Blvd.,Suite 401 Lake Mary,FL 32746,USAPhone:+1-407-937-1111Fax:+1-407-937-1101www.globaliia.org
sgpjbg002
工作日 8:30 - 17:30
报告分类
